Securing Access Modules

Securing Database Resources › Securing SQL Access to Databases › Securing Access Modules

Securing Access Modules

About Access Modules

An access module is a set of compiled and optimized SQL statements. Certain characteristics of the access module are contained in its dictionary definition. The actual module to be loaded at runtime may be regenerated because of changed database characteristics and aspects of the access module definition.

When you secure resource type DB, you can control who can create and maintain an access module definition. Until you secure resource type DB, any user can create and maintain an access module definition.

How to Secure Access Modules

You secure access modules by securing the DB resource.

Note: For more information, see Securing Databases.

If you secure access modules externally, you must also include an entry in the SRTT with external security information for resource types DACC (access module definition) and SACC (loadable entity).

How to Grant Access Module Definition Privilege

To allow a user to create and maintain an access module definition, you issue a GRANT statement on the access module resource type, specifying the privilege or privileges and identifying the access module. You can specify any combination of CREATE, ALTER, DROP, and DISPLAY privileges, or you can specify all definition privileges (DEFINE).

As a holder of SYSADMIN or DBADMIN privilege, or as owner of the access module, you can specify WITH GRANT OPTION when you grant definition privileges to allow the recipient to grant the same privileges to another user.

More Information:

For more information, see GRANT SQL Definition Privileges.
For more information, see REVOKE SQL Definition Privileges.
For more information about creating access modules, see the CA IDMS SQL Reference Guide.

How to Grant Access Module Execution Privilege

Two security checks are involved in granting access module execution privilege. The categorization of access modules controls who can load an access module, it does not control who can execute the SQL statements in the access module. You have to think of an access module as any other load module. You need both the authority to load the module and the authority to perform the database access to the program.

As mentioned before, there are two levels of authority that must be granted to implement access module and DB security:

A Category must be created and an access module added to the Category and execute authority granted. This controls the loading of the access module.
Execute must be granted on the access module. This controls the database access for statements within the access module.

To allow a user to execute an individual access module, you issue a GRANT statement on the access module resource type, specifying the EXECUTE privilege and identifying the access module.

As holder of SYSADMIN or DBADMIN privilege, or as owner of the access module, you can specify WITH GRANT OPTION when you grant execution privilege to allow the recipient to grant the same privilege to another user.

Note: For more information, see the following sections: